




JOHN F. KENNEDY SPACE CENTER, NASA 
TR-1187 




SPACE SHUTTLE MAINTENANCE PROGRAM 
PLANNING DOCUMENT 


/ 



22B 

" lI / T So.n 17 J CSCL G3/31 50233, 

D • ” • D1 - — 


Prepared by 

Darwin V. Brown 
Space Shuttle Task Group 
Kennedy Space Center, Florida 32899 



* t 






TABLE OF CONTENTS 


Section 


Title 


Page 


GENERAL 


1.1 Introduction. 

1.2 Objective . . 

1.3 Scope 

1.4 Organization 


1-1 

1-1 

1-1 

1-1 



II DEVELOPMENT OF MAINTENANCE PROGRAMS \ 


2.1 Program Requirement. 2-1 

2.2 Scheduled Maintenance Program Content . 2-2 

2.3 Shuttle System/Component Analysis Method . ... . 2-3 

2.4 Vehicle Structure Analysis Method 2-8 

2.5 Engine Analysis Method 2-10 

2.6 Program Development Administration 2-14 

2.7 Supporting Technical Data 2-15 


APPENDICES 

1 SHUTTLE MAINTENANCE PROGRAM DEVELOPMENT CHARTS 

2 DIRECT AND ADVERSE EFFECT ON OPERATING SAFETY 

3 EXPLANATION OF HIDDEN FUNCTIONS 

i . . 

. i • 


V 


Preceding page blank 



iii/iv 


GLOSSARY 

l 

i 

i 

Inherent Level of Reliability and Safety That level which is built into the unit and 

; therefore inherent in its design. This is the 
highest level of reliability and safety that can 
be expected from a unit, system or Shuttle. 

To achieve higher levels of reliability gen- 
erally requires modification or redesign. 

■' • *• j ? 

Maintenance Significant Items . -\ Those maintenance items that are judged by 

' the manufacturer to be relatively the most 
; . \ important from a safety or reliability stand- 

i . j point, or from an economic standpoint. 

Structural Significant Items ! Those local areas of primary structure which 

•. I are judged by the manufacturer to be relatively 

\ ■ the most important from a fatigue or corrosion 

i vulnerability standpoint or from a failure 
| effects standpoint. 

Operational Reliability j The ability to perform the required functions 

• within acceptable operational standards for 
| the time period specified. 

■ . i 

Effective Incipient Failure Detection ] That maintenance action which will reliably 

I ; detect incipient failures if they exist. That 

is, detect the pending failure of a unit or 
system before that system fails. For example, 
detection of turbine impeller cracks prior to 
; impeller failure. 

Real and Applicable Data Those data about real , operating hardware 

J that is similar enough to the hardware under 
! discussion to be applicable to the design of 
: maintenance programs for the current hardware. 

Reduction in Failure Resistance The deterioration of inherent (design) levels 

of reliability. As failure resistance reduces, 
failures increase; resulting in lower reliability. 

; If reduction in failure resistance can be detected, 
• ' I maintenance can be performed prior to the point 

‘ where reliability is adversely affected. 

’ • - ■ ’ | . 

Does Failure Prevent Dispatch i Refers to launch and ferry operations. 


v 



Function 
Failure Modes 

Failure Effects 
Potential Effectiveness 

Routine Operation Crew Monitoring 


BITE 

Minimum Equipment List (MEL) 


Is Elapsed Time for Correction of 
Failure >0.5 Hr. 


The characteristic actions of units, systems, 
and Shuttle. 

The ways in which units , systems and Shuttle 
deteriorate and can be considered to have 
failed. 

The consequence of failure. 

Capable of being effective (maintenance action) 
to some degree. 

That monitoring that is inherent in normally 
operating the Orbiter. For example, the pre- 
flight check list, or the normal operation of 
the Orbiter and its components and through 

ground monitoring by telemetry systems. 

1 . . 

Built in test equipment. 

This assumes that there can be equipment not 
related to the flight worthiness which could be 
inoperable and still dispatch the Shuttle for 
launch or the Orbiter for ferry flight. 

The figure of 0.5 hr is an arbitrary number so 
that time to correct the failure is a considera- 
tion. 


J 

i 

•J 

’ v . 


\ \ 


vi 



SECTION I 
GENERAL 


1.1 INTRODUCTION 


Airline and manufacturer experience in developing scheduled maintenance pro- 
grams for new aircraft has shown that more- efficientj jrograms can be developed through 
the use of logical decision processes .Cthi s docum enpis-agadaptation of the Airline/ 
Manufacturer Maintenance Program Planning^DocuTnent/ MSG-2 yyty provides a syste- 
matic tool to develop a maintenance program which will malntainMhherent design levels 
of operating safety. Principally, the evaluations are based on the system and compo- 
nents functions and failures modes. 

1.2 OBJECTIVE 


It is the objective of this document to present a means for developing a mainte- 
nance program which will be acceptable to the Development Centers, the Operators (KSC 
and AF), and the Manufacturers. The maintenance program data will be developed by 
coordination with specialists from the operators, manufacturers and the development 
center. Specifically it is the objective of this document to outline the general organiza- 
tion and decision processes for determining the essential scheduled maintenance require- 
ments for the Space Shuttle Orbiter. 

This document is intended to facilitate the development of initial scheduled 
maintenance programs. The remaining maintenance, that is non-scheduled or non- 
routine maintenance, is directed by the findings of the scheduled maintenance program 
and the normal operation of the Shuttle. The remaining maintenance consists of mainte- 
nance actions to correct discrepancies noted during scheduled maintenance tasks, non- 
scheduled maintenance, normal operation, ( or condition monitoring. 

1.3 SCOPE 

The scope of this document shall encompass the maintenance program for the 
entire Orbiter and where applicable to other program elements. 

1.4 ORGANIZATION 

The organization to carry out the maintenance program development pertinent to 
the Shuttle shall be staffed by representatives of the Operators, the Prime Manufacturers 
of the Shuttle, and the Development Centers. 


1-1 



1.4.1 The management of the maintenance program development activities shall be 
accomplished by a Steering Group composed of members from the KSC, Air Force, MSC, 
MSFC and representatives of the Orbiter and Engine Manufacturers. It shall be the 
responsibility of this group to establish policy, direct the activities of Working Groups 
or other working activity, carry out liaison with the manufacturer and operators , and pre- 
pare the final program recommendations. 

1.4.2 A number of Working Groups, consisting of specialist representatives from the 
Operators, the Prime Manufacturer, and the Development Centers may be constituted. 

The Steering Group, alternatively, may arrange some other means for obtaining the 
detailed technical information necessary to develop recommendations for maintenance 
programs in each area. Irrespective of the organization of the working activity, it must 
provide written technical data that support its recommendations to the Steering Group. 
After approval by the Steering Group these; analyses and recommendations shall be con- 
solidated into a final report for presentation to the Program Manager. 



1-2 



I 


SECTION II 

DEVELOPMENT OF MAINTENANCE PROGRAMS 


2.1 PROGRAM REQUIREMENT 

A maintenance program must be developed before the Space Shuttle becomes 
operational . 

2.1.1 ^£he primary purpose of this document is to establish an initial maintenance 

program. wTie purpose of this program is to maintain the inherent design levels of opera- 
ting safety^ This program becomes the basis for the first issue of Operations Specifi- 
cations— Maintenance to govern initial maintenance policy. I These are subject to revisions 
as operating experience is accumulated. '' 

2.1.2 It is desirable, therefore, to define in some detail: 

(a) The objectives of an efficient maintenance program, 

(b) The content of an efficient maintenance program, and 

(c) The process by which an efficient maintenance program can be developed. 

• • 

2.1.3 The Objectives of an efficient maintenance program are: 

(a) To prevent deterioration of the inherent design levels of reliability and 
operating safety of the Shuttle, and 

(b) To accomplish this protection at the minimum practical costs. 

2.1.4 These objectives recognize that maintenance programs, as such, cannot correct 
deficiencies in the inherent design levels of flight equipment reliability. The maintenance 
program can only prevent deterioration of such inherent levels. If the inherent levels are 
found to be unsatisfactory, engineering action is necessary to obtain improvement. 

2.1.5 The maintenance program itself consists of two types of tasks: 

(a) A group of scheduled tasks to be accomplished at specified intervals. 

The objective of these tasks is to prevent deterioration of the inherent design levels of 
Shuttle reliability, and 

(b) A group of non-scheduled tasks which results from; 

(1) The scheduled tasks accomplished at specified intervals, 

(2) Reports of malfunctions (usually originated by the flight crew), or 

(3) Condition Monitoring. 

*See Glossary 


2-1 



The objective of these non-scheduled tasks is to restore the equipment to its 
inherent level of reliability 

2 . 1 .5 . 1 This document describes procedures for developing the scheduled mainte- 
nance program. Non-scheduled maintenance results from scheduled tasks# normal opera- 
tion or condition monitoring. 

2.1.6 Maintenance programs generally include one or more of the following primary 
maintenance processes: 

(a) Hard Time Limit: A maximum interval for performing maintenance tasks. 
These intervals usually apply to overhaul , but also apply to total life of parts or units. 

(b) On Condition: Repetitive inspections# or tests to determine the condi- 
tion of units or systems or portions of structure. 

(c) Condition Monitoring: For itemSYhat have neither hard time limits nor 
on condition maintenance as their primary maintenance process. Condition monitoring 
is accomplished by appropriate means available to an operator for finding and resolving 
problem areas. These means range from notices of unusual problems to special analysis 
of unit performance . 

2.2 SCHEDULED MAINTENANCE PROGRAM CONTENT 

The tasks in a scheduled maintenance program may include: 

. " • i ' . 

(a) Servicing i 1 

(b) Inspection 

(c) Testing 

(d) Calibration 
(c) Replacement 

2.2.1 An efficient program is one which schedules only those tasks necessary to meet 
the stated objectives. It does not schedule additional tasks which will increase mainte- 
nance costs without a corresponding increase in reliability protection. 

2.2.2 The development of a scheduled maintenance program requires a very large 
number of decisions pertaining to: 

(a) Which individual tasks are necessary, 

(b) How frequently these tasks should be scheduled, 

(c) What facilities are required to enable these tasks to be accomplished# 

(d) Where these facilities should be located# and 

(e) Which tasks should be accomplished concurrently in the interests of economy. 


2-2 


2.3 SHUTTLE SYSTEM/COMPONENT ANALYSIS METHOD 


The method for determining the content of the scheduled maintenance program for 
systems and components (parts a and b of Paragraph 2.2.2) uses decision diagrams. 

These diagrams are the basis of an evaluatory process applied to each system and its 
significant items using technical data provided (Paragraph 2.7). Principally, the eval- 
uations are based on the systems' and items' functions and failure modes. The purpose is to: 

(a) Identify the systems and their significant items*. 

(b) . Identify their functions*, failure modes* and failure effects*. 

(c) Define scheduled maintenance tasks having potential effectiveness* rela- 
tive to the control of operational reliability*. 

(d) Assess the desirability of scheduling those tasks having potential effec- 
tiveness. 

2.3.1 It should be noted that there is a difference between "potential" effectiveness 
of a task versus the "desirability" of including this task in the scheduled maintenance 
program. The approach taken in the following procedure is to plot a path whereby a final 
judgment can be made as to whether those potentially effective tasks are worthy of inclu- 
sion in an initial maintenance program. 

2.3.2 There are 3 decision diagrams provided (Appendix 1, Chart A, Figures 1 

through 3). Figure 1 is used to determine scheduled maintenance tasks having potential 
effectiveness relative to the control of operational reliability. This determines tasks 
which can be done. \ \ 


Figures 2 and 3 are used to assess the desirability of scheduling those tasks 
having potential effectiveness. 

(a) Figure 2 tasks must be done to prevent direct adverse effects on opera- 
ting safety and to assure availability of hidden functions. 


(b) 


Figure 3 tasks should be 


done for economic value. 



*See Glossary 





1 


2.3.3 The total analysis process is shown diagramatically below. (See Appendix 1 
for details.) -J : 





2-4 




2.3.4 The following guidelines encourage consideration of failure consequences and 
the potential effectiveness of scheduled maintenance tasks. In those cases where failure 
consequences are purely economic, the guidelines lead to consideration of both the cost 
of the scheduled maintenance and the value of the benefits which will result from the task. 

2.3.5 A decision tree diagram (Appendix 1, Chart A) facilitates the definition of 
scheduled maintenance tasks having potential effectiveness. There are five key questions. 

NOTE: Questions (a), (b), and (c) must be answered for each 

failure mode, question (d) for each function, and 
question (e) for the item as a whole. 

(a) Is reduction in failure resistance* detectable by routine operations crew 

monitoring*? ' 

I 

(b) Is reduction in failure resistance detectable by in position maintenance 
or test (BITE or GSE)? 

(c) Does failure mode have a direct adverse effect upon operating safety? 

(See Appendix 2.) 

(d) Is the function hidden from the viewpoint of the operations crew? (See 
Appendix 3.) 

(e) Is there an adverse relationship between age and reliability? 

2.3.6 Each question should be answered in isolation, e.g. in question (c) all tasks 
which prevent direct adverse effects on operating safety must be listed. This may result 
in the same task being listed for more than one question. 

2.3.7 If the answer to question (a) is Yes, this means there are methods available 
through monitoring of the normal in-flight instrumentation to detect incipient conditions 
before undesirable system effects occur. A Yes answer does not require a maintenance 
task. If the answer is No, there is no in-flight monitoring which can detect reduction in 
failure resistance. This question is meant to refer to the operations crews’ ability to detect 
deteriorating calibration or system operation before a failure occurs. NOTE: Tasks 
resulting from in-flight monitoring are part of non-scheduled maintenance. 

2.3.8 If the answer to question (b) is Yes, it means there is a maintenance task, not 
requiring item disassembly, that has potential effectiveness in detecting incipient 
conditions* before undesirable system effects occur. Tasks may include inspection, ser- 
vicing, testing, etc. NOTE: Tasks resulting from a Yes answer to question (b) are part 
of the On Condition maintenance program, j . „ 

' ! .. '> ‘ .... * •. ; 

*See Glossary 


2-5 


2.3.9 If the answer to question (c) is Yes, this failure mode has a direct, adverse 
effect on operating safety. It is necessary to examine the mechanism of failure and 
identify the single cells or simple assemblies where the failure initiates. Specific total 
time, total flight cycle, time since overhaul or cycle since overhaul limitations may be 
assigned these single cells or simple assemblies and the probability of operational fail- 
ures will be minimized. Examples of these actions are turbine engine disc limits, engine 
gimbal actuator limits, etc. In many cases, these limits must be based upon manu- 
facturer's development testing. Fortunately, there is only a small number of failure modes 
which have a direct, adverse effect on operating safety. This results.from the fact that 
failure mode analyses are conducted throughout the process of flight equipment design. 

In most cases, it is possible after identification of such a failure mode to make design 
changes (redundancy, incorporation of protective devices, etc.) which eliminate its direct 
adverse effect upon operating safety. If no potentially effective task exists, then the 
deficiency in design must be referred back to the manufacturer. The term "direct adverse 
effect upon operating safety" is explained in Appendix 2. NOTE: Tasks resulting from 
a Yes answer to question (c) are part of either the Hard Time limitation maintenance pro- 
gram, or the On Condition maintenance program. 

2.3.10 Refer to Appendix 3 for explanation of question (d). If the answer to question 
(d) is Yes, periodic ground test or shop tests may be required if there is no other way of 
ensuring that there is a high probability of the hidden function being available when 
required. The frequencies of these tests are associated with failure consequences and 
anticipated failure probability. A component cannot be considered to have a hidden func- 
tion if failure of that function results in a system malfunction which is evident to the 
flight crew during normal operations. In this case, the answer must be No. NOTE: Tasks 
resulting from a Yes answer to question (d) may be part of either the Hard Time limitation 
or the On Condition maintenance program. 

2.3.11 If the answer to question (c) is Yes, periodic overhaul may be an effective way 
of controlling reliability. Whether or nor a fixed overhaul time limit will indeed be effec- 
tive can be determined only by actuarial analysis of operating experience. NOTE: Tasks 
•resulting from a Yes answer to question (e) are part of the Hard Time limitation maintenance 
program. 

2.3.12 It has been found that overall measures of reliability of complex components, 
such as the premature removal rate, usually are not functions of the age of these compo- 
nents. In most cases, therefore, the answer to question (e) is No. In this event, 
scheduled overhaul cannot improve operating reliability. Engineering action is the only 
means of improving reliability. These components should be operated, therefore, without 
scheduled overhaul . NOTE: Systems or items which require no scheduled tasks are 
included in Condition Monitoring. ; j . 


2-6 



2.3.13 The preceding paragraph is contrary to the common belief that each component 
has an unique requirement for scheduled maintenance in order to protect its inherent level 
of reliability. The validity of this belief was first challenged by actuarial analyses of the 
life histories of various components. More recently, the correctness of the preceding 
paragraph has been overwhelmingly demonstrated by the massive operational experience 

of many airlines with many different types of components covered by Reliability Programs 
complying with FAA Advisory Circular 120-17. 

2.3.14 The questions in Figure 1 are intended to determine maintenance tasks having 
potential effectiveness for possible inclusion in a scheduled maintenance program. How- 
ever, it is probable that many of these "potentially" beneficial scheduled tasks would 
not be "desirable" even though such tasks could improve reliability. This might be true 
when operating safety is not affected by failure or the cost of the scheduled maintenance 
task is greater than the value of such resulting benefits as reduced incidence of component 
premature removal , reduced incidence of departure delays, etc. Additional diagrams are 
used to assess the "desirability" of those scheduled maintenance actions which have 
potential effectiveness. This is accomplished by Figures 2 and 3, Chart A, Appendix 1. 

2.3.15 Figure 2 selects those tasks which must be done because of operating safety 
or hidden function considerations. Figure 3 selects those tasks which should be done 
because of economic considerations. 

2.3.16 Figure 2 assesses tasks listed against the Yes answers of questions c and d 
in Figure 1, and selects those tasks which must be done. 

2.3.17 For the operating safety question, at least one task must be listed for each 
failure mode having a Yes answer to question c of Figure 1. An explanation should be 
given for any question c tasks not selected. 

2.3.18 For the hidden function question, normally at least one task must be listed for 
each hidden function having a Yes answer to Figure 1, question d. If a task is not 
selected, as permitted by Appendix 3, an explanation must be provided. 

2.3.19 Figure 3 assesses tasks listed against the Yes answers in Figure 1, questions 
b and c and select those tasks which should be done because of economic considerations. 

2.3.20 A key question in Figure 3 is the first, "Does real and applicable data* show 
desirability of scheduled task?* A "Yes" answer is appropriate if there is: 

(a) Prior knowledge from missile and aircraft experience that the scheduled 
maintenance tasks had substantial evidence of being truly effective and economically 
worthwhile, and 

(b) The system/component configurations of previous missile or aircraft and 
the Shuttle are sufficiently similar to conclude that the task will be equally effective. 

i ' f ' 

*See Glossary 

2-7 



2.3.21 The question "Does failure prevent dispatch*" refers to whether the item will 
be on the Minimum Equipment List (MEL)*. 

2.3.22 The question "Is elapsed time for correction of failure >0.5 Hr.*" refers to 
whether corrective action can be accomplished with minimum delay. 

2.3.23 When a task "requires evaluation" it is important that the frequency of the 
failure and the cost of carrying out the task are taken into consideration. 

2.4 VEHICLE STRUCTURE ANALYSIS METHOD 

The method for determining the content of the scheduled maintenance program for 
structure is: 

(a) Identify the significant structural items*. 

(b) Identify their failure modes and failure effects. 

(c) Assess the potential effectiveness of scheduled inspections of structure. 

(d) Assess the desirability of those inspections of structure which do have 
potential effectiveness. 

2.4.1 The structure will be treated as hereafter described. This element includes 
the structure (fuselage, crew compartments, payload bay doors, bulkheads, thrust struc- 
ture, wing, tail, etc.); and thermal protection (panels, panel support, insulation, etc.). 
Additionally, the mechanical, assemblies of structural components, such as hatches, 
emergency exits, and flight control surfaces, landing gear, docking systems, separation/ 
attachment, etc., will be treated individually by the processes described in Paragraph 2.3. 

2.4.2 The decision tree diagram. Chart A, Figure 1 of Appendix 1, facilitates the 
definition of scheduled inspections of structure having potential effectiveness. There are 
five key questions . 

(a) Is reduction in failure resistance detectable by routine operations crew 
monitoring? 

(b) Is reduction in failure resistance detectable by in position maintenance 
or test (BITE orGSE)? 

(c) Does failure mode have a direct adverse effect upon operating safety? 

(d) ; Is the function hidden from the viewpoint of the operations crew? 

(e) Is there an adverse relationship between age and reliability? 

i • , * ' 

*See Glossary 

2-8 1 


& 



2.4.3 The answer to question (a) is normally No. However , if in-flight instrumen- 
tation is developed which permits detection of incipient structural failures then the ans- 
wer could be Yes. 

2.4.4 If the answer to question (b) is Yes, there are methods available to detect 
incipient conditions before undesirable conditions occur. It would be expected that all 
redundant external and internal structure would be in this category. NOTE: Tasks 
resulting from a Yes answer to question (b) are part of the Structural Inspection program. 
This program is an On Condition program. 

2.4.5 If the answer to question (c) is Yes, there is a failure mode which has a direct/ 
adverse effect on operating safety for which there is no effective incipient failure detec- 
tion method. It would be expected that non-redundant primary structure would be in this 
category. See Appendix 2 for explanation of "direct adverse effect on operating safety." 
NOTE: Tasks resulting from a Yes answer to question (c) are part of the Hard Time limi- 
tation (usually total time or total cycle limits) maintenance program. 

2.4.6 If the answer to question (d) is Yes, there is a function required of this element 
of structure that is not regularly used during normal flight operations. Some inspection or 
test is therefore necessary to ensure that this function has a high probability of being 
available when required. NOTE: Tasks resulting from a Yes answer to question (d) are 
part of the Structural Inspection program. 

2.4.7 Structures would be expected to have a Yes answer to question (e) but only in 
a very long total time envelope. The tasks performed as a result of Yes answers to the 
other questions are capable of detecting deterioration prior to failure of these items. 

2.4.8 It is probable that some of these "potentially" beneficial scheduled inspections 
would not be desirable, even if such tasks would improve reliability. This might be true 
when airworthiness is not affected by failure and the cost of the scheduled inspection is 
greater than the value of the resulting benefits. Therefore, additional diagrams are used 
td assess the desirability of those scheduled tasks which have potential effectiveness. 
This is accomplished by Figures 2, 4 and 5 (Charts A,B,C) of Appendix 1. A No 
answer to all questions is unlikely for structure. If it occurs, the item is included in 
Condition Monitoring. 

2.4.9 Figure 2 selects those tasks that must be done because of operating safety 
or hidden function considerations. 

2.4.10 Figures 4 and 5 (Charts B and C) of Appendix 1 establish internal and external 

class numbers for structural items. The class numbers take into account vulnerability to 
failure, consequences of failure. The class numbers are to be used as guides for setting 
internal and external inspection frequencies . ' 

i ' 


2-9 



* Th f ' te ,? S t0 be eva,uated by Figures 4 and 5 (Charts B and C) are those 
termed "structurally significant." nose 

2.4 12 Each item is first rated for each of five characteristics per Figure 4 (fatique 
Si faig C u Vt C e 7raUn n g)? SiSta " Ce ' CfaCl< pr0pa9atl0n resista "“' degree of redundancy 

tint i! Ch ,te ™ is the " giv f n an overa,, ratin 9 (R No.) per Figure 4 which considers 
all of the above ratings and combines them by judgment into a single overall rating 

oveSi^ rX S S ,"«•? r UVe le , V f l ° f f trUCtUra ' lntegrity of the item * ln general, the 
JlYc/ R No * for an '* em . IS equal to or less than the fatigue resistance or corrosion 
resistance rating for the item, whichever is lesser. 

If 111! f T p e ' nter 2 al a M d . eX u emal C,3SS numbers for ea ch item are then determined by 

berT Th c n F,9Ur % 5 \^ 6 - hat S °. me items have both internal and external class num- 
itpm'c ™ h-? T for th< ?^ e eternal items which have some probability of the internal 

desrrihpT d ' ,0n -M ,n9 f eV,d 1I 1t bys T e external condition. In these cases the item as 

? nd the intemal " Inspection specified refers to the item 
s described. The external inspection of this item refers to that portion of the external 

th^7ntemaN ! tem' S s clndv ‘ 10 r! In ? n,al a " d which may yle,d some indication of 
s f condition . Therefore , when an external inspection is specified for an 

intemal item it refers to the adjacent external structure and not the internal item itself. 
2 * 5 PROPULSION SYSTEM ANALYSIS METHOD 


gram is: 


The method for determining the content of the scheduled engine maintenance pro- 


fa) Identify the systems and their significant items. 

(b) Identify their functions, failure modes and failure effects. 

to the control ofope^aUonllltl "ility" 3 "" haV '" 9 POlentia ' effeetire " ess relatire 


tiveness. 


(d) Assess the desirability of scheduling those tasks having potential effec- 


(e) 


Determine initial sampling thresholds where appropriate. 


as £ritel l tel^ Stem x S * Wh ° le H d “'h si « n,ficart «"9ine item will be 


" i ,, 


2-10 



2.5.2 The decision tree diagram. Chart A, Figure 1, of Appendix 1, facilitates the 
definition of scheduled inspections having potential effectiveness. There are five key 
questions. 

NOTE: Questions (a), (b), and (c) must be answered for each 
failure mode, question (d) for each function, and 
question (c) for the item as a whole .- 

(a) Is reduction in failure resistance detectable by routine operations crew 
rrionitoring? 

(b) Is reduction in failure resistance detectable by in place maintenance or 
test (BITE or GSE)? 

(c) Does failure mode have a direct adverse effect upon operating safety? 

! (d) Is the function hidden from the viewpoint of the operations crew? 

(e) Is there an adverse relationship between age and reliability? 

2.5.3 If the answer to question (a) is Yes, there are methods available through moni- 
toring the normal in-flight instrumentation (including maintenance recorder) to detect 
incipient conditions before undesirable system effects occur. A Yes answer does not 
require a maintenance task. If the answer is No, there is no in-flight monitoring which 
can detect reduction in failure resistance. NOTE: Tasks resulting from in-flight moni- 
toring are part of non-scheduled maintenance. 

2.5.4 If the answer to question (b) is Yes, there is a maintenance task, not requiring 
engine disassembly, that has potential effectiveness in detecting incipient conditions 
before undesirable system effects occur. Tasks may include inspection, servicing, 
testing , etc. NOTE: Tasks resulting from Yes answers to question (b) are part of the 
On Condition maintenance program. 

2.5.5 If the answer to question (c) is Yes, this engine component has a failure mode . 
with direct, adverse effect on operating safety. It is necessary to examine the mechanism 
of failure and identify the single cells or simple assemblies where the failure initiated. 

Specific total time, or total flight cycle, limitations may be assigned these components 

to minimize the probability of operational failures. NOTE: Tasks resulting from a Yes 
answer to question (c) are part of either the Hart Time limitation maintenance program, 
or the On Condition maintenance program. 

2.5.6 If the answer to question (d) is Yes, there is a function required of this engine 
component that is not evident to the operations crew when the component fails. Some scheduled 
task may be necessary to assure a reasonably high probability that this function is avail- 
able when required. NOTE: Tasks resulting from a Yes answer to question (d) may be 

part of either the Hard Time limitation or the On Condition maintenance program. ; 


. • 'J 


2-11 



2.5.7 It is expected that the answer to question (c) is always Yes for structural 
engine components^ but that their expected life is very long relative to the usual engine 
inspection periods . If tasks defined by questions (a) through (d) are inadequate to control 
wear or deterioration of engine components / additional tasks should be listed here. 

NOTE: Tasks resulting from a Yes answer to question (c) are part of either the Hard Time 
limitation or the On Condition maintenance program. 

t ‘ 

2.5.8 Engine components for which no scheduled tasks are selected are included in 
Condition Monitoring. 

2.5.9 The questions in Figure 1 are intended to determine maintenance tasks having 
potential effectiveness for possible inclusion in a scheduled maintenance program. How- 
ever/ it is probable that many of these "potentially" beneficial scheduled tasks would not 
be "desirable" even though such tasks could improve reliability. This might be true when 
operating safety is not affected by failure or the cost of the scheduled maintenance task 
is greater than the value of such resulting benefits as reduced incidence of component 
premature removal / reduced incidence of delays, etc. Additional diagrams are 

used to assess the "desirability" of those scheduled maintenance actions which have 
potential effectiveness. This is accomplished by Figures 2 and 3 (Chart A) of Appendix 1. 

2.5.10 Figure 2 selects those tasks which must be done because of operating safety or 
hidden function considerations. Figure 3 selects those tasks which should be done because 
of economic considerations. 

2.5.11 Figure 2 assesses tasks listed against the Yes answers of questions c and d 
in Figure 1, and selects those tasks which must be done. 

2.5.12 For the operating safety question, at least one task must be listed for each 
failure mode having a Yes answer to question c of Figure 1. An explanation should be 
given for any question c tasks not selected. 

( 

2.5.13 For the hidden function question, normally at least one task must be listed for 
each hidden function having a Yes answer to Figure 1, question d. If a task is not 
selected, as permitted by Appendix 3, an explanation must be provided. 

2.5.14 Figure 3 assesses tasks listed against the Yes answers in Figure 1, questions 
(b) and (e) and selects those tasks which should be done because of economic considera- 
tions. 

2.5.15 A key question in Figure 3 is the first, "Does real and applicable data show 

desirability of scheduled task?" i 


2-12 



A "Yes" answer is apprpriate if there is: 

(a) Prior knowledge from missile and aircraft experience that the scheduled 
maintenance tasks had substantial evidence of being truly effective and economically 
worthwhile , and 

(b) The system/component configurations of previous missile or aircraft and 
the Shuttle are sufficiently similar to conclude that the task will be equally effective. 

2.5.16 The question "Does failure prevent dispatch" refers to whether the item will be 
on the Minimum Equipment List (MEL). The answer to question (b) is expected to always 
be Yes for engine components that cause engine failure. 

2.5.17 The question "Is elapsed time for correction of failure >0.5 Hr.*" refers to 
whether corrective action can be accomplished with minimum delay. 

2.5.18 When a task "requires evaluation" it is important that the frequency of the 
failure and the cost of carrying out the task are taken into consideration. 

2.5.19 Engine tasks are included in the Threshold Sampling maintenance program. 

This program is described below. 

2.5.20 The Threshold Sampling maintenance program is intended to recognize the On 
Condition design characteristics of modem rocket and turbo-jet engines , while sampling 
to control reliability. This program uses repetitive sampling to determine: 

(a) The condition of engine components. 

(b) The advisability for continued operation to the next sampling limit, and 

(c) The next sampling limit, threshold, or sampling band. 

2.5.21 Initial sampling thresholds are based on: 

(a) The design of the engine under study, the results of developmental 
testing, and prior service experience, 

(b) The results of previous engine programs, 

(c) The fact that samples are available from engines removed for all causes 
at virtually all ages. This means that knowledge of the condition of engines is available 
over the complete continuum of time from start of operation to the highest time exper- 
ienced , and 

(d) The fact that most engine design problems become apparent and can be 
controlled well within any established limits or thresholds. 


*See Glossary 


2-13 


2.5.22 The Threshold Sampling program establishes the initial sampling threshold. 
Operators are subsequently responsible for: 

(a) Evaluating the samples obtained from the initial threshold, 

(b) Determining the next sampling threshold, and 

(c) Determining the number to be sampled at the next theshold. 

. t 

2.5.23 Threshold Sampling is normally accomplished by inspecting the parts or sys- 
tems of engines that are removed and accessible in the shop. These engines provide 
samples over a full range of ages without waiting for the threshold to be reached. The 
results of inspecting these samples are used to determine the future program. When 
samples are not available from engines that are in the shop, scheduled samples or in 
place inspections may be required. 

2.6 PROGRAM DEVELOPMENT ADMINISTRATION 

Program Office participation is encouraged as early and as thoroughly as possible 
in all phases of working group activity. It is recognized that the program manager will 
later be asked to approve the proposed program resulting from these efforts. The following 
activity phases will apply. 

Steering Group general familiarization training. 

Working Group or Working Activity Training. 

Preparation of first draft Significant Items List (Paragraph 2.7.1). 

Establish functions and failure modes applicable to the 
Significant Items. 

Preparation of Figures 1 through 5 decision diagram replies 
and supporting data for each system and significant item. 

Evaluation of manufacturer's technical data and recommended 
tasks by the Working Groups' operational personnel and meeting 
with manufacturer to make necessary revisions and prepare task 
recommendations. 

Development of task frequency recommendations . (This phase 
is meant to follow Phase III. (a). 

NOTE: A Steering Group member should participate in all 
Phase III activity. 


Steering Committee audits are required for these steps before proceeding. 


Phase I . 

Phase II. (a) 

m 

#(c) 

(d) 

Phase III. (a) 
(b) 


2-14 


Phase IV. Presentation to Steering Group (meeting with each Working 

Group or Activity Chairman). 

Phase V. Preparation and presentation of the Steering Group's proposal 

to the program manager. 

2.7 SUPPORTING TECHNICAL DATA 

The following supporting technical data will be provided in printed form, together 
with adequate cross-references on the records of replies to the decision diagrams. 

2.7.1 Maintenance Significant Items List 


This list will include by System Designator, the name, quantity per Shuttle, 
prime manufacturer part number, vendor name and part number for each item considered 
by the Working Group/Activity to require individual analysis. 

2.7.2 Significant Items Data 

(a) Description of each significant item and its function(s). 

(b) Listing of its failure mode(s) and effects. 

(c) Expected failure rate. 

(d) Hidden functions. 

(e) Need to be on M.E.L. 

(f) Redundancy (may be unit, system or system management). 

(g) Potential indications of reduced failure resistance. 

2.7.3 System Data 

(a) Description of each system and its function(s). 

(b) Listing of any failure modes and effects not considered in item data. 

(c) Hidden functions not considered in item data. 



. i 


2-15/16 



APPENDIX 1 

SHUTTLE MAINTENANCE PROGRAM DEVELOPMENT CHARTS 



_■ • V ‘ 



SHUTTLE MAINTENANCE PROGRAM DEVELOPMENT 
CHART A DECISION DIAGRAM 









SHUTTLE MAINTENANCE PROGRAM DEVELOPMENT 


1 


! 





A-2 



SHUTTLE MAINTENANCE PROGRAM DEVELOPMENT 
CHART C STRUCTURE DETECTABILITY EVALUATION 

THIS CHART CONVERTS OVERALL RATING (R) TO INTERNAL & EXTERNAL CLASS NUMBERS 


1 

I 


O 


go 

GO 



O 


in 

> 


o z 

CO — 


< o 


o z 


< 

Ui 

Oi 

< 


Ui 

3 



■ 

X 

LU 


•' o z 
u <* O 
- o z 


I 

I 


as os 




o 01 

CO O Ui 

<Q“ 
O Z < 
— 3 _l 

A o ui 
U. Of 3 
-OIL 




>- 

h- Z 
□ < 

on 

on I 

LU < 
U > 
U O 

< as 

3 >- 

on cq 
> >- 
LU zr 1 

O' ^ 

UJ 5 
X on 
* on 
I — 

on 


>- 

O' 

_i < 

5 t/i 
O 111 

2 u 

(— LU 

Q Z 
Q £ 

^ on on 
OHJf] 

* < U 

< U- . 
LU°^ 
I — • — Z3 

<Zifl 

_J LU ^ 
£L S ^ 

«/> z z 
vtU< 
uj < 3 
Uh° 
U LU O 

< O H 



m 

2 

3 

o> 

L 






_ < 
00 3 

< UO 


U 

LU 

h- 

UJ 

O 


> 5 
O t 

X _l 
< < 
LU Z 
£Z 


< -I 


CkC uj H 
LU 3 X 
L— 1 1 LU 


O' 

0 . LU 


2 u. o 
x o o 


id 

5 z 

gw 
o j— 
U X 
on LU 

:£ LU 
LU -I 
I- 00 


O 

>- 
• t- 

o "] 

I— oo 

5 2 


— z u. 
5 O o 
< u 
co z 
o^o 

O' ^ 


O 

z 


o 

>- 


CO 

< 

CO 

o 

QO 

0- 

5: 

o 


u 

LU I 


A 

uo 


OCC 

CJ<« 


m LU 

> GO 

LU 

CC Qa 


o 


x 

> u 

— i— 

LU LU 
CC Q 
UJ >- 

n 

Sd 
20 
as >- 


< 
UJ 

S. 

>- O' 
00 UJ 

°o 

H g 
or o 


— 1 1 * x 


<c £2 

25 i/o 
or °° 

S lu 

L— O 

C u 

— < 


LU 

-J 

00 


O' 

> ° 

o 2 

^ Q 
LU < 
O' O' 


cn 


j^GO 


GO 


O 


W W — H- *■*- " 

ou rv — ~ 


hM 

Q U 

a: _ 
m o 

h-Z 
X m 
UJ u 

o z 

Z l/T 



c/5 3g ~ 

S vo - - 111 
X t/5 O 

LU > U J 3 
u- •£* < w _i 

H Z U 
UJ UJ < Z 
^Q£L — 
LU r\ 

^ Z — > on Z 

i ~lsr 

2 5tS*“ 


u 

UJ 


.Q 



ae£<*“ 

uj fi i u~ -g 

t u>-o ! 
>< uz as j 
w<<u. 


A-3/4 



APPENDIX 2 

DIRECT AND ADVERSE EFFECT ON OPERATING SAFETY 


The following elaborates on the term "direct and adverse effect on oper- 
ating safety." 

During the design process considerable attention is given to system 
and component failure effect analysis to ensure that failures that result in 
loss of function do not immediately jeopardize operating safety. In many 
cases, redundancy can cause the consequences of a first failure to be 
benign. In other cases, protective devices serve this purpose. Although 
it may not be possible to continue to launch the Shuttle without correcting 
the failure and although it may indeed be desirable to make an unscheduled 
landing after failure, the failure cannot be considered to have an immediate 
adverse effect upon operating safety. The inclusion of the word direct in 
the phrase "direct adverse effect upon operating safety" means an effect 
which results from a specific failure mode occurring by itself and not in 
combination with other possible failure modes. 



t 

i 

i 

i 


B-l/2 



APPENDIX 3 

EXPLANATION OF HIDDEN FUNCTIONS 


A component is considered to have a "hidden function" if either of the followinq 

exists: 


(a) The component has a function which is normally active whenever the system 

is used / but there is no indication to the operations crew when that function ceases to perform. 

(b) The component has a function which is normally inactive and there is no 
prior indication to the operations crew that the function will not perform when called upon. 

The demand for active performance will usually follow another failure and the demand may 
be activated automatically or manually. 


Examples of components possessing hidden functions exist in a bleed air system. 

A bleed^air temperature controller normally controls the bleed air temperature to a maximum 
of 400 F. In addition / there is a pylon shutoff valve which incorporates a secondary 
temperature control / should the temperature exceed 400°F. A duct overheat switch is 
set to warn the flight crew of a temperature above 480°F, in which event they can shut 
off the air supply from the engine by actuating the pylon shutoff valve switch. There is 
no duct temperature indication. 

The bleed air temperature controller has a hidden active function of controlling 
the air temperature. Since there is a secondary temperature control in the pylon valve and 
since there is no duct temperature indicator / the flight crew has no indication of when the 
temperature control function ceases to be performed by the temperature controller Also 
the flight crew has no indication prior to its being called into use that the secondary ' 
temperature control function of the pylon valve will perform. Therefore, the pylon valve 
has a hidden inactive function. For a similar reason, the duct overheat warning system 
has a hidden inactive function. And the pylon valve has a hidden inactive function 

(manual shutoff) since at no time in normal use does the flight crew have to manually close 
the valve. 3 

The hidden function definition includes reference to "no indications to the flight 
crew of performance of that function. If there are indications to the flight crew, the 
function is evident (unhidden). However, to qualify as an evident function, these indica- 
tions must be obvious to the flight crew during their normal duties, without special moni- 
toring (bear in mind, however, that special monitoring is encouraged as a part of the 
maintenance program to make hidden functions into evident ones). 


It is recognized that, in the performance of their normal duties, the flight crews 
operate some systems full time, others once or twice per flight, and others less frequently. 
All of these duties, providing they are done at some reasonable frequency, qualify as 


C-l 


C. 



11 mear ] s / for example, that although an anti -Icing system is not used every 
flight it is used with sufficient frequency to qualify as a "normal" duty. Therefore, 
the anti -icing system can be said to have an evident (unhidden) function from a flight 
crew s standpoint. On the other hand, certain "emergency" operations which are done 
at very infrequent periods (less than once per month) such as emergency gear extension, 
fuel dump actuation, etc. cannot be considered to be sufficiently frequent to warrant 
classification as evident (unhidden) functions. 

Another example is the Apollo/Saturn SIV-B APS pneumatic regulators system. 

A pair of series redundant regulators control the propellant ullage pressure at 196 ±3 
psia. The secondary regulator is set 4 psi above the primary regulator and also has a 
tolerance band of ±3 psi which allows a potential 2 psi overlap. There is no pressure 
transducer between the regulators and no position indicator on either. The only available 
information is the ullage pressure measurement which cannot distinguish which regulator 
is in operation because of the overlapping tolerance bands. 

It is therefore possible to have an undetected failure of this primary regulator and 
a liftoff on the backup system. 

The analysis method requires that all hidden functions have some form of scheduled 
maintenance applied to them. However, in those cases where it may be difficult to check 
the operation of hidden functions, it is acceptable to assess the operating safety effects 
of combined failures of the hidden function with a second failure which brings the hidden 
function failure to the attention of the flight crew. In the event the combined failures do 
not produce a direct adverse effect on operating safety, then the decision whether to 
apply maintenance to check the pertinent hidden function becomes an economic decision 
to be considered by Figure 3 (Chart A, Appendix 1). 

Note also, in some cases, it is acceptable to accomplish hidden function checks 
of removable components during unscheduled shop visits, providing the component has at 
least one other function which when failed is known to the flight crew and which causes 
the unit to be sent to the shop. Also, the hidden function failure mode should have an 
estimated reliability well in excess of the total reliability of the other functions that are 
evident to the flight crew. 


. r • ;• '•* • ' «*■ 


< • . ; ■ \ i * 

i 


C-2 


• i 
i 



